Created
May 16, 2016 01:32
-
-
Save CreateRemoteThread/b3bfeb8af0a62c09430a84a38976cc3b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/-sr/bin/python | |
import sys | |
import pwn | |
import string | |
ALPHA="abcdefghijklmnopqrstuvwxyz0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ !\"#$%&(=>?@" + ")*+,-./" + ":;<[\]^_`y" | |
#"abcdefghijklmnopqrstuvwxy | |
MOV13="nopqrstuvwxyz{|}~ !\"#$%&(=>?@ABCDEFG-NOPQRSTUVWXYZ[\]^_`abcdefg)*+,-./01235JKLM" + "6789:;<" + "GHIhijklm'" | |
CAESAR = "abcdefghijklmnopqrstuvwxyz0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZ" | |
CAESAD = "axje.uidchtnmbrl'poygk,qf;0123456789 AXJE>UIDCHTNMKY:QPRGLVWXJZ" | |
# retn: tvn{"F"# "yr | |
# test: tvn{"-"# "yr | |
# clrx: giant9turtle | |
out = "" | |
for i in string.printable: | |
if i not in ALPHA: | |
out += i | |
print out | |
CODE = {'A': '.-', 'B': '-...', 'C': '-.-.', | |
'D': '-..', 'E': '.', 'F': '..-.', | |
'G': '--.', 'H': '....', 'I': '..', | |
'J': '.---', 'K': '-.-', 'L': '.-..', | |
'M': '--', 'N': '-.', 'O': '---', | |
'P': '.--.', 'Q': '--.-', 'R': '.-.', | |
'S': '...', 'T': '-', 'U': '..-', | |
'V': '...-', 'W': '.--', 'X': '-..-', | |
'Y': '-.--', 'Z': '--..', | |
'0': '-----', '1': '.----', '2': '..---', | |
'3': '...--', '4': '....-', '5': '.....', | |
'6': '-....', '7': '--...', '8': '---..', | |
'9': '----.', | |
' ': '!' | |
} | |
def caesar_generic(data,cipher,plain): | |
out = "" | |
for c in data: | |
d = True | |
for i in range(0,len(cipher)): | |
if ord(c) == ord(cipher[i]): | |
out += plain[i] | |
d = False | |
break | |
if d == True: | |
print "d is true, missing character %c" % c | |
out += "." | |
return out | |
def caesar(data): | |
out = "" | |
for c in data: | |
d = True | |
for i in range(0,len(CAESAD)): | |
if ord(c) == ord(CAESAD[i]): | |
out += ALPHA[i] | |
d = False | |
break | |
if d == True: | |
print "d is true, missing character %c" % c | |
out += "." | |
return out | |
def rot13(data): | |
out = "" | |
for c in data: | |
d = True | |
for i in range(0,len(MOV13)): | |
if ord(c) == ord(MOV13[i]): | |
out += ALPHA[i] | |
d = False | |
break | |
if d == True: | |
print "d is true, missing character %c" % c | |
out += "." | |
return out | |
print rot13("\" '-!%vzzv{t") | |
# sys.exit(0) | |
def decrypt(data): | |
out = "" | |
for d in data: | |
for i in CODE.keys(): | |
if d == CODE[i]: | |
out += i | |
continue | |
return out | |
import re | |
p = pwn.remote("146.148.102.236",24069) | |
def countspaces(str_in): | |
o = [] | |
for i in range(0,len(str_in)): | |
if str_in[i] == ' ': | |
o.append(i) | |
return str(o) | |
def firstspace(str_in): | |
o = 0 | |
for c in str_in: | |
if c == ' ': | |
return o | |
o += 1 | |
return o | |
length_brute_force = {} | |
pattern_brute = {} | |
f = open("save.lst","r") | |
for i in f.readlines(): | |
i_stripped = i.rstrip() | |
# fiwrite("%s:%s:%d:%s" % (a,x,y,c)) | |
(a,x,y,c) = i_stripped.split(":") | |
length_brute_force[(int(a),(x,int(y)))] = c | |
f.close() | |
f = open("patterns.lst","r") | |
for i in f.readlines(): | |
i_stripped = i.rstrip() | |
(cipher,pattern) = i_stripped.split(":") | |
pattern_brute[cipher] = pattern | |
f.close() | |
def save_patterns(): | |
f = open("patterns.lst","w") | |
for i in pattern_brute.keys(): | |
f.write(i + ":" + pattern_brute[i] + "\n") | |
f.close() | |
def add_pattern(in_str): | |
out_str = "" | |
for i in in_str: | |
if i == ' ': | |
out_str += " " | |
else: | |
out_str += "x" | |
if out_str in pattern_brute.keys(): | |
print "already got it" | |
else: | |
pattern_brute[out_str] = in_str | |
def get_pattern(in_str): | |
return pattern_brute[in_str] | |
print "ROUND 1" | |
while True: | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send("!!!!????\n") | |
data = p.recv() | |
print data | |
d = re.search("What is (.*) decrypted?",data) | |
morsedata = d.group(1) | |
morse_chars = morsedata.replace(" "," ! ").split(' ') | |
print decrypt(morse_chars) | |
encrypteddata = decrypt(morse_chars).lower() | |
add_pattern(encrypteddata) | |
c = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
if (len(encrypteddata),c) not in length_brute_force.keys(): | |
print "adding length %d :: %s" % (len(encrypteddata),rot13(encrypteddata)) | |
length_brute_force[(len(encrypteddata),c)] = encrypteddata | |
else: | |
if length_brute_force[(len(encrypteddata),c)] != encrypteddata: | |
print "collision : %s vs %s" % (length_brute_force[(len(encrypteddata),c)],encrypteddata) | |
else: | |
print "already got it" | |
p.send(decrypt(morse_chars) + "\n") | |
save_patterns() | |
p.send("test\n") | |
print "STARTING ROUND 2" | |
print "LEN ALPHA: %d :: LEN MOV13: %d" % (len(ALPHA),len(MOV13)) | |
while True: | |
data = p.recv() | |
print data | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata = d.group(1) | |
c = (countspaces(rot13(encrypteddata)),firstspace(rot13(encrypteddata))) | |
add_pattern(rot13(encrypteddata)) | |
if (len(encrypteddata),c) not in length_brute_force.keys(): | |
print "adding length %d :: %s" % (len(encrypteddata),rot13(encrypteddata)) | |
length_brute_force[(len(encrypteddata),c)] = rot13(encrypteddata) | |
else: | |
if length_brute_force[(len(encrypteddata),c)] != rot13(encrypteddata): | |
print "collision : %s vs %s" % (length_brute_force[(len(encrypteddata),c)],rot13(encrypteddata)) | |
else: | |
print "already got it" | |
print encrypteddata + "::"+ rot13(encrypteddata) | |
p.send(rot13(encrypteddata) + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send("MNOPQRSTUVWXYZ\n") | |
save_patterns() | |
f = open("save.lst","w") | |
for i in length_brute_force.keys(): | |
(a,b) = i | |
(x,y) = b | |
c = length_brute_force[i] | |
f.write("%s:%s:%d:%s\n" % (a,x,y,c)) | |
f.close() | |
print length_brute_force | |
p.send("AAAA\n") | |
print "STARTING ROUND 3" | |
while True: | |
data = p.recv() | |
print data | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata = d.group(1) | |
d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
c = length_brute_force[(len(encrypteddata),d)] | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send("x\n") # give me some sample text | |
ROUND4_CIPHER = "abcdefghijklmnopqrstuvxy" + "wz0123456789 " | |
ROUND4_PLAINT = "UVWXYZ[\]^_`abcdefghijlm" + "47LMNOPQRSTU<" | |
print "STARTING ROUND 4" | |
p.send(" \n") | |
while True: | |
data = p.recv() | |
print data | |
i = re.search("encrypted is (.)",data) | |
x = i.group(1) | |
spacechar = str(x)[0] | |
print "space char is %c" % spacechar | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata1 = d.group(1) | |
if spacechar != " ": | |
encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
else: | |
encrypteddata2 = encrypteddata1 | |
encrypteddata = encrypteddata2.replace(spacechar," ") | |
d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
c = length_brute_force[(len(encrypteddata),d)] | |
# c = caesar_generic(encrypteddata,ROUND4_CIPHER,ROUND4_PLAINT) | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send(" \n") # give me some sample text | |
print "STARTING ROUND 5" | |
p.send(" \n") | |
while True: | |
data = p.recv() | |
print data | |
i = re.search("encrypted is (.)",data) | |
x = i.group(1) | |
spacechar = str(x)[0] | |
print "space char is %c" % spacechar | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata1 = d.group(1) | |
# encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
if spacechar != " ": | |
encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
else: | |
encrypteddata2 = encrypteddata1 | |
encrypteddata = encrypteddata2.replace(spacechar," ") | |
d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
c = length_brute_force[(len(encrypteddata),d)] | |
# c = caesar_generic(encrypteddata,ROUND4_CIPHER,ROUND4_PLAINT) | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send(" \n") # give me some sample text | |
print "STARTING ROUND 6" | |
p.send(" \n") | |
while True: | |
data = p.recv() | |
print data | |
i = re.search("encrypted is (.)",data) | |
x = i.group(1) | |
spacechar = str(x)[0] | |
print "space char is %c" % spacechar | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata1 = d.group(1) | |
# encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
if spacechar != " ": | |
encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
else: | |
encrypteddata2 = encrypteddata1 | |
encrypteddata = encrypteddata2.replace(spacechar," ") | |
d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
c = length_brute_force[(len(encrypteddata),d)] | |
# c = caesar_generic(encrypteddata,ROUND4_CIPHER,ROUND4_PLAINT) | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send(" \n") # give me some sample text | |
print "STARTING ROUND 7" | |
p.send(" \n") | |
while True: | |
data = p.recv() | |
print data | |
i = re.search("encrypted is (.*)\n",data) | |
x = str(i.group(1)) | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata2 = "" | |
encrypteddata1 = d.group(1) | |
for i in range(0,len(encrypteddata1)): | |
if encrypteddata1[i] == x[i]: | |
encrypteddata2 += " " | |
else: | |
encrypteddata2 += "x" | |
# encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
encrypteddata = encrypteddata2 | |
c = get_pattern(encrypteddata) | |
# d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
# c = length_brute_force[(len(encrypteddata),d)] | |
# c = caesar_generic(encrypteddata,ROUND4_CIPHER,ROUND4_PLAINT) | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send(" \n") | |
print "STARTING ROUND 8" | |
p.send(" \n") | |
while True: | |
data = p.recv() | |
f = open("round8.out","wb") | |
f.write(data) | |
f.close() | |
print data | |
i = re.search("encrypted is (.*)\n",data) | |
x = str(i.group(1)) | |
d = re.search("What is (.*) decrypted?",data) | |
encrypteddata2 = "" | |
encrypteddata1 = d.group(1) | |
for i in range(0,len(encrypteddata1)): | |
if encrypteddata1[i] == x[i]: | |
encrypteddata2 += " " | |
else: | |
encrypteddata2 += "x" | |
# encrypteddata2 = encrypteddata1.replace(" ",chr(ord(spacechar) + 1)) | |
encrypteddata = encrypteddata2 | |
c = get_pattern(encrypteddata) | |
# d = (countspaces(encrypteddata),firstspace(encrypteddata)) | |
# c = length_brute_force[(len(encrypteddata),d)] | |
# c = caesar_generic(encrypteddata,ROUND4_CIPHER,ROUND4_PLAINT) | |
print c | |
p.send(c + "\n") | |
data = p.recv() | |
print data | |
if "TUCTF" in data: | |
break | |
p.send(" \n") | |
print "STARTING ROUND 9" | |
p.send(" \n") | |
print p.recv() | |
p.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment